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DETAILED ACTION 
Claim Objections 

1 . Claim 36 objected to because of the following informalities: second repetition of 
"determines that the server device is authorized to receive the private information 
associated with the client device" renders the claim ungrammatical and should be 
omitted. Appropriate correction is required. 

Claim Rejections - 35 USC § 102 

2. The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that 
form the basis for the rejections under this section made in this Office action: 

A person shall be entitled to a patent unless - 

(b) the invention was patented or described in a printed publication in this or a foreign country or in public 
use or on sale in this country, more than one year prior to the date of application for patent in the United 
States. 

3. Claims 1-7, 9-23, and 34-36 rejected under 35 U.S.C. 102(b) as being 
anticipated by Winslett et al ("Assuring Security and Privacy"). 

4. As per claims 1 and 34, Winslett et al discloses the following: 

a receiving step (see "set of credentials is submitted with a request for service" 
on page 143, 2nd column, 2 nd paragraph), 

a determining step (see "determines what credentials are needed for a particular 
service request" on page 142, 1 st column, 1 st paragraph), 

a negotiating step (see "submitting them [the credentials] to the server" on page 
142, 1 st column, 2 nd paragraph and see "this may require an extra round of 
communications with the server, which should be carried out automatically" on page 
142, 2 nd column 1 st full paragraph), and 
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a producing step (see "sending the response to the client" on page 146, 2 nd 
column, 1 st partial paragraph). 

5. As per claim 3, in addition to the teachings applied above, Winslett et al discloses 
steps for receiving the private information associated with the client device (see "SSA 
can use the credentials attached to the request" on page 145, 2 nd column, 3 rd full 
paragraph) and producing the response to the request based at least in part on the 
private information (see "SSA . . . wishes to return an explanation to the PSA, the SSA 
can use the credentials attached to the request to determine what portion and version of 
its knowledge base it is willing to share" on page 145, 2 nd column, 3 rd full paragraph; 
and see "sending the response to the client" on page 146, 2 nd column, 1 st partial 
paragraph). 

6. As per claim 6, in addition to the teachings applied above, Winslett et al discloses 
that the method is performed on a server (see "submitting them [the credentials] to the 
server" on page 142, 1 st column, 2 nd paragraph and see "this may require an extra 
round of communications with the server, which should be carried out automatically" on 
page 142, 2 nd column 1 st full paragraph). 

7. As per claim 7, in addition to the teachings applied above, Winslett et al discloses 
that the private information is attached to the request (see "attaches them [credentials] 
to service requests" on page 142, 1 st column, 1 st paragraph). 

8. As per claims 9 and 35, in addition to the teachings applied above, the preferred 
embodiment of Winslett et al discloses steps for the following: 
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establishing an authorization agreement that enables the proxy server to 
negotiate privacy agreements (see "the personal security assistant is to manage a 
client's credentials in accordance with the stated policies of the client"), 

receiving a request (see "set of credentials is submitted with a request for 
service" on page 143, 2nd column, 2 nd paragraph), and 

receiving a proposed privacy agreement from the server device (see "policy on 
credential submission" on page 142, 2 nd column, last paragraph to page 143, 1 st 
column, 1 st partial paragraph, and see "SSA must also be able to export portions of its 
credential acceptance policy to clients who ask for explanations of its server's security 
policy" on page 143, 2 nd column, 1 st partial paragraph). The Office interprets that the 
server's security policy includes an explanation of how the server agrees to maintain the 
accepted credentials' security. 

Winslett et al also discloses a step for accepting the proposed privacy agreement 
(see "determines what credentials are needed for a particular service request" on page 
142, 1 st column, 1 st paragraph, see "assistant should cache information about what 
credentials are required for its client's most frequently and most recently accessed 
servers" on page 142, 2 nd column, 1 st full paragraph, see "policy on credential 
submission" on page 142, 2 nd column, last paragraph to page 143, 1 st column, 1 st partial 
paragraph, and see "credential acceptance policy" on page 143, 2 nd column, 1 st partial 
paragraph). The Office interprets Winslett et al's using the credential acceptance policy 
and determining a credential submission policy based upon it to constitute acceptance 
of that policy. 
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Winslett et al additionally discloses a step for providing the private information to 
the server device (see "set of credentials is submitted with a request for service" on 
page 143, 2 nd column, 2 nd paragraph). 

9. As per claims 2, 4, 5, 11, and 12, in addition to the teachings applied above, 
Winslett et al discloses that the private information includes client-provided location 
information of a client device associated with a network (see "credential", "University of 
Illinois", "Faculty/Staff ID Card", "to access on-line services of the university libraries", 
and "driver's license" on page 141, 1 st column, 1 st full paragraph and last paragraph). 

10. As per claims 13 and 14, in addition to the teachings applied above, Winslett et al 
discloses that the request including the private information associated with the client 
device is received at the proxy server (see "the proxy must intercept requests and then 
attach any needed credentials to them" on page 146, 1 st column, last paragraph to page 
146, 2 nd column, 1 st partial paragraph) and that the response is produced by the server 
device (see "SSA must also be able to export portions of its credential acceptance 
policy to clients who ask for explanations of its server's security policy" on page 143, 2 nd 
column, 1 st partial paragraph and see "proxy must examine responses to requests, 
looking for security-related information" on page 146, 2 nd column, 1 st partial paragraph). 

11. As per claims 10 and 15, in addition to the teachings applied above, Winslett et al 
discloses that said providing operates to provide the private information to the server 
device after said accepting of the proposed privacy agreement as the privacy 
agreement or after said negotiating of the privacy agreement (see "submitting them [the 
credentials] to the server" on page 142, 1 st column, 2 nd paragraph and see "the personal 
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security assistant must also be able to understand what credentials are required for a 
particular service request; this may require an extra round of communications with the 
server, which should be carried out automatically" on page 142, 2 nd column 1 st full 
paragraph). 

12. As per claim 16, in addition to the teachings applied above, Winslett et al 
discloses that said providing operates to refuse to provide the private information to the 
server device (see "which [credentials] should never be given out without explicit run- 
time permission" and "if any" on page 143, 1 st column, 1 st and 2 nd paragraphs). 

1 3. As per claim 1 7, in addition to the teachings applied above, Winslett et al 
discloses a step for determining whether an existing privacy agreement already exists 
(see "the use of server 'cookies' to retain state across interactions with a client" and 
"avoid resending credentials with subsequent service requests" on page 146, 2 nd 
column, 1 st full paragraph) and a step for bypassing said receiving of the* proposed 
privacy agreement and said accepting of the proposed privacy agreement (see "avoid 
resending credentials with subsequent service requests" on page 146, 2 nd column, 1 st 
full paragraph). 

14. As per claim 18, in addition to the teachings applied above, Winslett et al 
discloses steps for the following: 

identifying an existing agreement between the server device and the client 
device, the existing agreement having a predetermined coverage (see "credential 
acceptance policy" on page 145, 1 st column, 1 st full paragraph) and 
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determining whether the request is covered by the predetermined coverage of 
the identified existing agreement (see "determines the set of roles that the client can 
assume for this kind of request, given the credentials submitted" on page 145, 1 st 
column, 1 st full paragraph). 

15. As per claims 19, 20, and 36, in addition to the teachings applied above, Winslett 
et al discloses a step for the following: 

receiving a request (see "set of credentials is submitted with a request for 
service" on page 143, 2 nd column, 2 nd paragraph) and 

determining whether a privacy agreement is needed (see "determines what 
credentials are needed for a particular service request" on page 142, 1 st column, 1 st 
paragraph, and see "policy on credential submission" on page 142, last paragraph to 
page 143, 1 st partial paragraph). 

Winslett et al also discloses a step for determining whether the server device is 
authorized to receive the private information (see "policy on credential submission" on 
page 142, last paragraph to page 143, Impartial paragraph). The service requests in 
Winslett et al are categorized such that the resulting categories correspond to a 
classification of credentials in two sets according to the free or restrictive manner in 
which the service requests in that category may distribute them. The Office interprets 
the categorization of service requests to factor in the servers that receive these 
requests. 
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Winslett et al additionally discloses a step for providing the private information to 
the server device (see "set of credentials is submitted with a request for service" on 
page 143, 2 nd column, 2 nd paragraph.) 

As per claims 21 , 22, and 23, in addition to the teachings applied above, Winslett 
et al discloses a response to the request at the server device (see "sending the 
response to the client" on page 145, 2 nd column, 1 st partial paragraph). 

Claim Rejections - 35 USC § 103 

The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

Claims 8-18, 25-26, 31-33, and 35 rejected under 35 U.S.C. 103(a) as being 
unpatentable over Winslett et al ("Assuring Security and Privacy") as applied to claims 
1-7, 9-23, and 34-36 above. 

As per claims 9-18 and 35, in addition to the teachings applied above, the 
preferred embodiment of Winslett et al discloses steps for the following: 

establishing an authorization agreement that enables the proxy server to 
negotiate privacy agreements (see "the personal security assistant is to manage a 
client's credentials in accordance with the stated policies of the client"), 

receiving a request (see "set of credentials is submitted with a request for 
service" on page 143, 2nd column, 2 nd paragraph), and 
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obtaining a proposed privacy agreement (see "policy on credential submission" 
on page 142, 2 nd column, last paragraph to page 143, 1 st column, 1 st partial paragraph). 

Winslett et al also discloses a step for accepting the proposed privacy agreement 
(see "determines what credentials are needed for a particular service request" on page 
142, 1 st column, 1 st paragraph, and see "policy on credential submission" on page 142, 
2 nd column, last paragraph to page 143, 1 st column, 1 st partial paragraph). The Office 
interprets Winslett's using a policy on credential submission to imply acceptance of that 
policy. 

Winslett et al additionally discloses a step for providing the private information to 
the server device (see "set of credentials is submitted with a request for service" on 
page 143, 2 nd column, 2 nd paragraph). 

Winslett et al's preferred embodiment fails to explicitly disclose that the privacy 
agreement is received from the server device associated with the request. However, an 
alternative embodiment of Winslett et al discloses this feature (see "a client has a list of 
qualifications that servers must meet before the client will do business with them" on 
page 149, 2 nd column, 2 nd full paragraph). The Office interprets these qualifications to 
include a server's agreement to a limited license to use the credentials provided by the 
client, the direct counterpart to a client's agreement to a limited license to use the 
services provided by the server in the preferred embodiment. Therefore, it would have 
been obvious to one of ordinary skill in the art at the time the invention was made to 
modify Winslett et al's preferred embodiment by including an agreement by the server to 
a limited license to use the credentials provided by the client in the manner taught by an 
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alternative embodiment of Winslett et al. One of ordinary skill in the art would have 
been motivated to do so in order for the client "to be careful in selecting the servers with 
whom it conducts business" (see page 149, 2 nd column, 2 nd full paragraph). 

As per claims 8, 25, 26, 31, 32, and 33, in addition to the teachings applied 
above, Winslett et al discloses the following: 

a proxy server device (see "personal proxy" on page 145, 1 st column, last 
paragraph) and 

a storage area (see "SSA must be able to reason about sets of credentials" on 
page 143, 1 st column, last paragraph, and see "SSA firsts decrypts, parses, and verifies 
each credential" on page 143, 2 nd column, 1 st full paragraph). The Office interprets 
"decrypts, parses, and verifies each credential" to imply that the server security 
assistance includes a storage area that stores the credentials. 

Winslett et al also discloses a privacy manager (see "credential acceptance 
policy" and "SSA must also be able to export portions of its credential acceptance policy 
to clients who ask for explanations of its server's security policy" on page 143, 2 nd 
column, 1 st partial paragraph; see "assistant should cache information about what 
credentials are required for its client's most frequently and most recently accessed 
servers" on page 142, 2 nd column, 1 st full paragraph; see "determines what credentials 
are needed for a particular service request" on page 142, 1 st column, 1 st paragraph; and 
see "policy on credential submission" on page 142, 2 nd column, last paragraph to page 
143, 1 st column, 1 st partial paragraph). 
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Official notice is taken that wireless client devices (e.g. battery-powered laptop 
computer) and wireless networks (e.g. Meier - US 5748619) have been well known and 
practiced in the computer art at the time the invention was made. Therefore, it would 
have been obvious to one of ordinary skill in the art at the time the invention was made 
to modify Winslett et al by including a wireless client device supported by a wireless 
network as the client and the network. One of ordinary skill in the art would have been 
motivated to do so in order to increase the portability of the client computers in a 
network setting and to increase access to the network. 

As per claim 33, in addition to the teachings applied above, Winslett et al 
discloses that the information includes private information and non-private information 
and that the privacy manager restricts access to the private information but not the non- 
private information (see "the policy tells which credentials can be freely distributed and 
which should never be given out without explicit run-time permission" on page 143, 1 st 
column, 1 st partial paragraph). 

Claim 24 rejected under 35 U.S.C. 103(a) as being unpatentable over Winslett et 
al ("Assuring Security and Privacy") as applied to claims 1-23, 25-26, and 31-36 above, 
and further in view of Baker et al (US005696898A). Winslett et al discloses a step for 
determining that the server device is authorized to receive the private information 
associated with the client device (see "policy on credential submission" on page 142, 
last paragraph to page 143, 1 st partial paragraph). Winslett et al fails to expressly 
disclose that the determining step comprises comparing the URL of the request with a 
list of authorized URLs and determining that the server device is authorized to receive 
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the private information when the URL of the request is found within the list of authorized 
URLs. However, Baker et al discloses these features (see "various URLs that each 
user terminal should be allowed to transmit to public network 100" in Baker et al - 
column 4, lines 27-46). Therefore, it would have been obvious to one of ordinary skill in 
the art at the time the invention was made to modify Winslett et al by including steps for 
comparing the URL of the request and determining that the server device is authorized 
to receive the private information when the URL of the request is in the list of authorized 
URLs. One of ordinary skill in the art would have been motivated to do so in order to 
selectively control access to information (Baker et al - abstract). 

Claims 27-30 rejected under 35 U.S.C. 103(a) as being unpatentable over 
Winslett et al ("Assuring Security and Privacy") as applied to claims 1-23, 25-26, and 
31-36 above, and further in view of Gildea (US005523761A). 

As per claims 27, 28, and 30, in addition to the teachings applied above, Winslett 
et al discloses that the information received from the client device and network 
comprises location information associated with the location of the client device as 
discussed above with respect to claims 2, 25, and 26. Winslett et al fails to expressly 
disclose a location manager that performs a reconciliation process on the location 
information received from the client device. However, Gildea discloses these features 
(see "correction of a computed location . . . based upon the corrections required to 
reconcile the GPS-determined location of the reference station with the known location 
of the reference station" in Gildea - column 22, claim 61 , lines 20-29). Therefore, it 
would have been obvious to one of ordinary skill in the art at the time the invention was 
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made to modify Winslett et al by including a location manager as per the teachings of 
Gildea. One of ordinary skill in the art would have been motivated to do so in order to 
determine the location of a reference station or client (Gildea - column 22, claim 61 , 
lines 20-29). 

As per claim 29, in addition to the teachings applied above, Winslett et al fails to 
expressly disclose that the privacy agreement is provided in a markup language. 
Official notice is taken that it has been well known and practiced in the computer art to 
express information such as privacy agreements in markup languages such as HTML or 
XML to make this information reusable or computer platform-independent. Thus, 
accordingly such a claim would have been obvious. 

Conclusion 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to James Curcio whose telephone number is 703-305- 
8887. The examiner can normally be reached on Tuesday to Friday from 7 am to 5 pm. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Gilberto Barron, can be reached on Monday to Friday. The fax phone 
number for the organization where this application or proceeding is assigned is 703- 
872-9306. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
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For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). 

f 

April 2, 2004 

All 2132 Q3±*&> ^ 

GILBERTO BARRON 
SUPERVISORY PATENT EXAMINER 
TECHNOLOGY CENTER 2100 




